The Commsrisk Review of 2017

Father Time has watched the sand slip through the hourglass of 2017, and so must hand his robe and scythe to the infant new year. In some respects we endured a tumultuous twelve months, though I suspect many in our field will be doing work that has not changed as much as it ought. Here is the review of the events, incidents and stories that shaped the year, and also point a finger at the direction we are headed.

January

Shares in BT fell by over 20 percent during one day, after the discovery of a serious insider fraud led BT to write down the value of their Italian unit by GBP530mn (USD663mn).

The Australian Privacy Commissioner lost a legal battle with Telstra over the need to tell customers technical details like the IP addresses and cell masts they have used. The Commissioner believed customers had a right to see the data because it is personal to them, but the court sided with Telstra’s opinion that technical matters are not ‘about’ the customer.

Media pressure forced Ofcom, the UK comms regulator, to get tough on repeated overcharging fiascos. As a consequence, Ofcom imposed a fine of GBP2.7mn (USD3.3mn) upon mobile provider EE for overcharging approximately 40,000 customers.

The owner of a small US telco pleaded guilty to cloning phones and using them to carry international traffic to Caribbean islands. On the other side of the world, the Chinese authorities demonstrated how keen they are to extradite scammers who target Chinese nationals from foreign countries, even if that increases tensions with Taiwan.

Research by Dave Morrow showed that whilst the UK authorities have the legal authority to confiscate the profits of telecoms fraudsters, they hardly ever use those powers.

February

An anti-piracy organization took the Czech Pirate Party to court, claiming they were violating copyright by running a website providing links to pirated films and television shows. However, the pirates won on a technicality. Meanwhile, a US court decided that Google should submit to warrants demanding data about customers irrespective of where in the world the data is stored.

Araxxe, the French RAFM vendor, warned that new European Union billing rules would lead to a rise in frauds that mask the true source of telecoms traffic.

Research firm Stratecast once again announced WeDo as market leaders in telecoms financial assurance. TEOCO sought to increase their share of the telecoms analytics market by purchasing data processing experts PreClarity.

Commsrisk contributor Rene Felber received the TM Forum’s Outstanding Contributor Award for his revenue assurance work.

March

Indian RAFM vendor Subex did deals resulting in USD12mn of new capital being injected into their business. Management said the money would be spent on strengthening the company’s portfolio and that some might be used for acquisitions.

Ericsson reached an agreement with RAFM vendor WeDo to pre-integrate WeDo’s assurance software into Ericsson’s OSS/BSS systems. However, many of the details were vague.

There was a major victory in the battle to prevent piracy of English football when a court granted an injunction ordering the six biggest British ISPs to block servers streaming live coverage of Premier League games.

Ofcom levied another big fine for a UK telco that overcharged customers. However, the notes for the case showed that Plusnet were punished for errors that began almost six years earlier.

Investigations showed that customers of UK telco TalkTalk were falling victim to ‘industrial scale’ scams run from Indian call centers. These criminal enterprises had been empowered by the abuse of TalkTalk customer data.

A previously unknown telecoms expert volunteered to write content for Commsrisk. However, the ‘expert’ proved to have a fake identity.

April

There was a big fall in the share price of Cartesian, the US-headquartered telecoms services and software business, after management announced poor results for the year. The weakness in the share price raised questions about whether Cartesian could remain listed on Nasdaq for much longer, but management offered no substantive ideas for how to turn the business around. Cartesian suffered losses even though their acquisition of digital TV experts Farncombe had proven successful.

The European Union’s highest court decided it is illegal to sell streaming boxes where software add-ons that enable piracy have been pre-installed.

An investigation by Al Jazeera revealed how suppliers of IMSI-catchers and IP intercept systems abuse rules designed to prevent the spread of spyware.

A financial accountant at South African telco MTN was accused of stealing ZAR24mn (USD1.8mn) from her employer.

A long-running public feud over which government body had the right to audit telco revenues in Ghana drew to a close when ministers agreed to meet and discuss the “confusion” which had resulted in two separate businesses demanding the same data from telcos in order to perform similar assurance checks.

After falling for a while, there was another surge in complaints about Vodafone UK incorrectly billing customers. Ofcom responded by making excuses for Vodafone and misleading assertions about a fine it had imposed upon the telco.

May

EURECOM researcher Merve Şahin published the results of her study of the impact of OTT bypass on a small European operator. She found that OTT bypass rates can be as high as 80 percent from some sources, and that delays meant callers may hear the ring tone for up to a minute before the recipient’s phone actually starts ringing.

Subex announced an 11 percent rise in annual revenues. They also announced a new five-year deal with BT, their most important customer.

After becoming embroiled in several controversies, Lycamobile got into a public argument with their former auditors KPMG about whether KPMG had resigned from the role or Lycamobile had booted them out.

The Wannacry virus infected thousands of organizations, causing panic around the globe. However, the timing was good for me, because I had travelled to WeDo’s User Group event in Lisbon to argue that we must use fear to drive increased investment in our work.

Hearts and hopes were raised around the world by the news that a former revenue assurance manager had been made CFO of Vodafone Fiji.

June

The annual Verizon Data Breach report was published. Amongst the highlights it was clear that single factor authentication is no longer sufficient and that CEO frauds have become increasingly common.

Some of Subex’s new capital was spent on unveiling a new logo and repositioning them as providers of analytics.

WeDo sought to increase sales to smaller telcos by offering cloud-based services on a free trial basis.

A customer of British telco O2 complained that he had been billed for 11 years of service after canceling his contract. O2 said they had no record of the contract being terminated but offered to refund half of the money they had taken.

After running events since 2004, the Risk & Assurance Group (RAG) ventured outside of the UK for the first time. Their conference at Deutsche Telekom’s head office in Bonn attracted an enthusiastic audience as well as top speakers from around the world.

July

Poor security practices at a supplier allowed the exposure of sensitive data about 14mn Verizon customers.

The arrest of 11 fraudsters led to an argument about whether some of them worked for MTN Nigeria.

Google were caught funding academic research that suits their business interests but hurts those of telcos.

Dave Morrow interviewed a former fraudster and learned it is cheap to bribe the fraud analysts that work for telcos.

August

TalkTalk were eventually fined for the data protection failures that resulted in their customers being targeted by fraudsters. However, the vague nature of the rule that was supposedly broken illustrated the subjective nature of data protection law.

A new series of Game of Thrones led to a surge in streaming piracy, but Canadian telcos may not have learned the relevant lessons. This was reiterated when a court found that their heavy-handed tactics had abused the civil rights of the man behind TVAddons, a business which promotes the use of Kodi add-ons.

Vodafone UK generated yet more negative publicity with the way they implemented charges for a new security offering. Meanwhile, a consumer protection business found that a small UK telco was incorrectly charging customers because they were ignorant of the implications of a major change in the EU’s rules on roaming prices. And Australian provider TeleChoice lost a three year legal battle with a customer who refused to pay an AUD191,000 (USD151,000) phone bill after his phone was stolen at Mobile World Congress.

LinkedIn withdrew a pack entitled ‘Revenue Assurance 101’ from their SlideShare service because of copyright infringements by the person who had posted it, Gideon Ikwe. Sadly, they only did this after the offending pack had been seen over 10,000 times. Even more sadly, they allowed Gideon Ikwe to repost the pack to SlideShare later in the year.

September

US Senator Ron Wyden challenged telcos to improve the security of SS7. In contrast to network security, Israeli academics showed how trust between the components of a smartphone gives hackers a different line of attack.

A senior UK police officer lent his name to a new report into video streaming piracy, even though the report presented no new research and misrepresented the findings from irrelevant old research.

The disease of plagiarism in revenue assurance was taken to a new, funny, deplorable and ironic level when somebody published a revenue assurance book that even copied the cover of a worthless old book by Papa Rob Mattison of GRAPA.

After the success of RAG Bonn, there was an even bigger turnout for the first RAG conference to be held in Africa. African telcos showed they have risk and assurance professionals to rival any in the world, and the attendees of RAG Johannesburg heard how RAG’s global ERM survey had found African telcos have attained a level of risk maturity that many Western telcos struggle to achieve.

October

The Republic of Ireland was hit by a barrage of wangiri calls from Liberia and the Comoros Islands. The three Irish mobile operators and Comreg, the Irish regulator, advised customers to scrutinize their calls before returning them.

Two stories highlighted the ups and downs of fraud management in Africa. Safaricom’s annual report openly stated that 52 of their staff were fired because of their involvement in fraud. The Kenyan telco was transparent in explaining the ways they counter criminality in their business. Meanwhile, a fraud analyst working at MTN in South Africa was caught supplying politically-sensitive customer data to a known associate of businessmen accused of corrupt practices.

SAP acquired social login business Gigya in a move that sent an important signal about the future of user authentication on networked devices. However, many telco employees may not yet appreciate the significance of emerging trends.

Nearly three years after an error-prone billing system migration, the volume of complaints generated by customers of Vodafone UK finally fell to levels that are normal for other postpaid mobile operators.

November

The CEO of Cartesian stepped down as the company was effectively forced to delist from the Nasdaq stock exchange due to the prolonged slump in the value of its shares. The business made itself available to offers whilst undergoing a management restructure that replaced the outgoing CEO with a team of senior managers, suggesting that different divisions of the business would be encouraged to pursue separate strategies.

A former Vice-President of US telco Cox Communications pled guilty to charges of stealing millions of dollars by abusing lax controls over purchasing. Janet West had been responsible for marketing the US-wide rollout of Cox’s gigabit internet service. Earlier in the year West was touted as a role model, receiving an award for being one of the most ‘Positively Powerful’ women in the USA.

Research by Sandvine concluded that 6.5 percent of North American homes subscribe to paid pirate TV services. The problem of pirate internet television caused diplomatic tensions because Saudi authorities repeatedly ignored demands to counteract a pirate version of Qatar’s beIN sports channels. Meanwhile, hyperbole about the public safety risks of Kodi boxes reached a new level when an anti-piracy firm commissioned dubious research that literally concluded every single Kodi box is an electrical and fire hazard.

A precisely targeted cyber attack temporarily brought down the RAG website. The site was not breached and the motives for the attack have not been established.

December

More customers felt cheated by their telcos around the world. A budget Australian provider managed to triple-charge many of their customers, whilst a German service provider was fined by an Irish court for charging customers it did not even have.

The debate about what is a fair price for telecoms services raged on, with a Nobel prizewinner condemning the amounts charged in the USA and a British consumer advocacy business finding most customers can get cheaper rates just by asking for them.

A study by Acuity Market Intelligence claimed that one trillion transactions would rely on mobile biometrics by the year 2022, though the finding was undermined by observing that many of these ‘transactions’ would not involve any payment. The downside to accumulating more data, of any kind, was further confirmed when the makers of an Android keyboard app were found to have leaked data about 31mn users, including characters typed using the keyboard. Meanwhile, research into cyberinsurance claims by Willis Tower Watson found that most breaches were blamed on the malfeasance or negligence of employees.

What Lies Ahead

Though the world is becoming more complicated, it is not hard to extrapolate from the key stories of 2017. The problem is not the intellectual capacity to forecast the risks and how we should respond to them, but our willingness to be honest about the dangers. The severe decline in the security value of passwords, and the escalating frequency of data breaches were both predictable, whilst being highly undesirable. Hence some business people have chosen to delay necessary change because it was cheaper for them to do nothing. Risk can be rationalized away; an executive that refuses to see risk can always argue that they honestly believed the risks were being exaggerated by others, and that the highest estimates of risk were not supported by good data. So whilst the security failures of Yahoo knocked another USD350mn off the company’s value, CEO Marissa Mayer still received handsome rewards for her time in charge.

To put it plainly, some executives cannot be trusted to make the right decision. However, they are trusted to make the right decision; it is their job to make those decisions. Moaning about it will not make any difference, so risk and assurance professionals had better realize they will not get to overrule executive decisions just because they think they are wrong. If businesses take too many risks then the only way to curb those risks is to establish customs of behavior that curb excesses. But that will not happen in a profession where people think Gideon Ikwe’s plagiarism is a valuable contribution to thought leadership, or where plagiarists resort to plagiarizing each other because nobody has any incentive to share original work. Though the frauds and errors of yesteryear will never go away completely, the greater dangers lie elsewhere, and a profession that ignores those dangers should expect to become an irrelevance over time.

Old policeman say Kodi boxes are a threat but they rely on suppositions drawn from the golden days of DVD piracy, and the methods being used to scare customers away video streaming are equally backward. Meanwhile, we have always known that SS7 was not designed to be secure, but it seems the companies that send one time passwords by SMS are happy to blame telcos for the risks they are taking. We need to turn to robust data, reliable techniques, and the elaboration of common practices which are reinforced because they have been widely adopted. But when I look around the telco landscape I see tremendous obstacles in our path. There are no ‘quick wins’ to be found here, which is a problem made more acute when so many have defined their careers by the promise that they will always deliver quick wins. Deeply ingrained problems need collaborative solutions, but our fragmented discipline is weak at rewarding common effort. That is why new initiatives like the global expansion of RAG and the launch of a new professional award for telecoms risk professionals are vital to reinvigorating our field.

The challenge for our profession will be to maintain relevance whilst adapting to changing priorities. Nobody will care about some petty external fraud if a quarter of the company’s value has just been wiped out by a fraud committed by an insider. Shifting the focus from external to internal fraud is one obvious objective, and the reasons why this change will be resisted are equally obvious. Telephony is in decline so more effort needs to oriented towards securing the rights of intellectual property distributed by multiplay operators. However, countering piracy using Kodi is not like reconciling CDRs, and not everyone will wish to adapt. Billing errors still cause plenty of problems, as highlighted by the repeated stories of overcharging, but the willingness to overcharge highlights what is wrong with a simplistic argument that errors always lead to revenue leaks.

Telco networks are largely defined by trust, but that trust is an anachronism in a world where a replacement touchscreen can be used to hack a smartphone, and where criminals offer to intercept calls for just USD250 per person. To restore the trust of our customers we first need to replace trust with technique, and that includes the techniques needed to root out criminals in our companies, the techniques needed to authenticate every device and person that we connect with, and the techniques needed to secure data so it cannot possibly be abused. Complying with the law is too low a standard. Legislators know what end results they want but do not understand the work that needs to be done to get those results. The rate of change of technology increasingly leads to unacceptable gaps between the current level of the risk and legislators’ ability to impose new rules. When it comes to areas like data protection and the monetization of data we must make an internal argument for investment in the techniques that protect both the business and its customers instead of relying on the imposition of rules where enforcement will be unpredictable because the rules are highly subjective.

Public opinion about big businesses is at a very low ebb, making this a good time for risk and assurance professionals to take a lead. However, becoming true leaders also demands a change in how we think, as illustrated by the observations Norman Marks made during his final blog for the Institute of Internal Auditors. Too many prefer the reactive approach: calculating how to say sorry when data has been breached, firing the person who breaks company rules, connecting technologies whilst having no way to first assure they are safe. There is a lot of work to be done in these areas, and telco risk and assurance professionals have a great opportunity, if they want to see it that way. Every risk is an opportunity to show how we can make a difference. To do that, we must also have the ambition to make the world a better place. In the new year, I hope to see many professionals exhibiting a new degree of confidence and pride in their work, as they publicly seek to elevate everyone working in communications risk and assurance.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), an association of professionals working in risk management and business assurance for communications providers. RAG was founded in 2003 and Eric was appointed CEO in 2016.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press.

Related Articles

Get Our Weekly Newsletter by Email